diff --git a/hosts/chunk/grafana.nix b/hosts/chunk/grafana.nix
index f79a7ff..33a77a0 100644
--- a/hosts/chunk/grafana.nix
+++ b/hosts/chunk/grafana.nix
@@ -42,6 +42,7 @@
 
   services.caddy.virtualHosts."grafana.cy7.sh".extraConfig = ''
     import common
+    import authelia
     reverse_proxy localhost:8088
   '';
 }
diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix
index 1e7e497..765e0f5 100644
--- a/hosts/chunk/hedgedoc.nix
+++ b/hosts/chunk/hedgedoc.nix
@@ -14,6 +14,7 @@
       domain = "pad.cy7.sh";
       allowEmailRegister = false;
       protocolUseSSL = true;
+      imageuploadtype = "minio";
     };
   };
 
diff --git a/modules/authelia.nix b/modules/authelia.nix
index afd8b52..b882a42 100644
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@@ -77,6 +77,23 @@ in
             userinfo_signed_response_alg = "none";
             token_endpoint_auth_method = "client_secret_basic";
           }
+          {
+            client_id = "hedgedoc";
+            client_name = "HedgeDoc";
+            client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg";
+            public = false;
+            authorization_policy = "two_factor";
+            redirect_uris = [
+              "https://pad.cy7.sh/auth/oauth2/callback"
+            ];
+            scopes = [ "openid" "profile" "email" ];
+            userinfo_signed_response_alg = "none";
+            grant_types = [ "refresh_token" "authorization_code" ];
+            response_types = [ "code" ];
+            response_modes = [ "form_post" "query" "fragment" ];
+            audience = [];
+            token_endpoint_auth_method = "client_secret_post";
+          }
         ];
       };
       secrets = {
@@ -101,4 +118,4 @@ in
       reverse_proxy localhost:9091
     '';
   };
-}
\ No newline at end of file
+}
diff --git a/secrets/services/hedgedoc.yaml b/secrets/services/hedgedoc.yaml
index 84ef3d6..a970c3b 100644
--- a/secrets/services/hedgedoc.yaml
+++ b/secrets/services/hedgedoc.yaml
@@ -1,10 +1,6 @@
 hedgedoc:
-    env: ENC[AES256_GCM,data:15rWiIYWyIJ0Hxl5I8m+EBV+FkNDT/OHlLK9shVS46UE7SQtuIh45N5hvwgs0rg9E9Tawu+lyE2aozWNh6HSDUZ1h4FYrB+JHwIetGkOqXSLHfXi,iv:v9ohLTtlxw3fsRoJJoOY5VYxVsxUyDEsQHRjcGKg/GY=,tag:Wncm1reqNblnVhRTYjU3Pg==,type:str]
+    env: ENC[AES256_GCM,data:XClDoB4GH+gdOO2d2MQZUvjY1Y70/hlGbPlULBMNL+xv8OLUQCIpA8XBV8pLKdSbSimrzyXhIAIbCGGS4Q1NoWcoH99G4+pXRvHyOo7MyUs8wqXJc/mQ+e1SEXji3cwdiQUxrbov6w6e6fEYg4VhsHs/zJXLeS2M3jdYAlYy3jeJ5WcbPO9zlkz6h21fO5FOKzzaPXgnZGxj4JiZUivHLzSsQ+4TN3bgSdb+2048uQAn9RnLFKeROVE9Z8DzAIIPbE6KxWwYr2fFCdlegFA3taLJ+FwoCCaSoLDOrd78SDzcHmSpLJfD3ZRCFExE9xogLXx7kZNX6uPtncxN1W5iemW9F7aEyZmkv0POUlldyLSyhTk8Z6jzQkgbymIp/STHdcg4GvWvz8KZ+Yd+tBjkNlTCXuc0S/JGuyjf6we8yuYWnRkfMwQ4GNIjsIHQYSMjpLviNZfKrPk8T0DijtmZnb4Zdw5eg4KLjMS3DfJAeR7c3LnOOIwgzcwTBDFsQunnxpZTT6eZSFbyktVEBH6CaXTWONzOH2Ff1mn/Tbzg7RHo/CaOXDqeJ6B5GejK5ahmeko1SYp+qsX/qdf75lNbJieUcPtfkVwrcHK187HbPSZkf6DYDNvpDcuPD1kQqq2OUb5lHKohbN8iGnwzFlPF4w60jGOzwry8CbctZtynFB6LdK4NTPsiGv9OqU+y5rqm24GjaHljTawbMwYt5kWmLYMtVwcWkXJdFdRUu4hfmMmNUYExpx5CBCjiXZTnElTivmGw3NPdncIsfjo8gOliM/ZidmZxrn5a5+RzLfYslQecp50ek/9UIRPB9P4UyLqgl3rYwh4BadVyIro5mRQBz3nnvEj1kwIeSVwC60Ysv/Uel4zfULKV0vAE+7x2Ogs1s/4N3wYuCns/+UOnS2DNnnjpSHF75Z/GktD9Ni1MJYeOpLU559gbGzKen+6ndy2oXQw8fdFC7ZlwkzRO5YKmrOpwVaVUC4vIYWJO4lFCgajJEpqGhRgPjHE8xFcPu1/kCyYFWVUC/9CAYFFqzpOhczLiS08CqCR9F9XktX3tgHqcJkz473B6xsAIeS2TCgMtRozLwi8OBwiDUZZYAVSmt+h1Dlq09cvjfhXfPQCHVh5jajlPNuXsNXtfVlz45i1DYo7ccyE+Svn2eMs5smkCXt66aFOMujURvkzTZqXYK3loaQPck2DXlN6nFCXlig==,iv:eUa/yfdrxj9+GBqyp03s/7q67fAgr6Z39sT4iqb/38Q=,tag:Je9lq7BLB4NJGDTWAKRgIQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
           enc: |
@@ -24,8 +20,7 @@ sops:
             enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e
             9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-17T03:25:54Z"
-    mac: ENC[AES256_GCM,data:1cxiK/HhqYzatT2PhZxjvtizII2QMHqbbyOujUtx4cT8x488j2wecu6hOfSkuHbQ43AxA8kDH1NAruPCSdCpj3PytMR+np+R/5WuRcK+OF/FCnWvWvvHqgDnBs/wYjllnR6HyWBlhrROpINxu9ch4fzN0Def3I7O+wJgpojnPiU=,iv:PKPykPv9zSHj9+HXnrg1v8Ty78te66D9ZH6c1V7Qlh4=,tag:JQk68u6p317r3Df+hv16+g==,type:str]
-    pgp: []
+    lastmodified: "2025-04-04T16:46:41Z"
+    mac: ENC[AES256_GCM,data:X7wtnmauh/tRbYCSPNtr/38CVyhIezYQKwcysna+3d31QatbAfTSkAMAWcSG+brpvAW14UfhwRiaCPoSjkS5eSkwd99S0CBI50yCjUFh43Uum3TBJhAnc6bzQkJHGXRk7duxkQJvEeDDZT4ph+/UoZ2xGu5LCjpLenDqldeHgCg=,iv:jMVBz0gPoW/J8NvkSGMjx28nXpX8mpWBrvXyCgi7F1U=,tag:mTj/2mwVjy3wYIsHnbMXDw==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.1